From cc9f42e360225ca0e36009441bea4a970a33d279 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Fri, 8 Dec 2023 17:55:02 +0200 Subject: [PATCH] Add references to rules (crowdstrike_rules) --- .../aws_authentication_from_crowdstrike_unmanaged_device.yml | 1 + rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml | 2 +- rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml | 1 + rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml | 1 + rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml | 1 + rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml | 1 + .../crowdstrike_macos_osascript_administrator.yml | 1 + rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml | 1 + .../crowdstrike_remote_access_tool_execution.yml | 1 + .../crowdstrike_reverse_shell_tool_executed.yml | 1 + rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml | 1 + .../crowdstrike_unusual_parent_child_processes.yml | 1 + rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml | 1 + .../okta_login_from_crowdstrike_unmanaged_device.yml | 1 + .../onepassword_login_from_crowdstrike_unmanaged_device.yml | 1 + 15 files changed, 15 insertions(+), 1 deletion(-) diff --git a/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml index b3aa8bd39..794b54751 100644 --- a/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml +++ b/rules/crowdstrike_rules/aws_authentication_from_crowdstrike_unmanaged_device.yml @@ -3,6 +3,7 @@ Description: Detects AWS Logins from IP addresses not found in CrowdStrike's AIP DisplayName: "AWS Authentication From CrowdStrike Unmanaged Device" Enabled: false Filename: aws_authentication_from_crowdstrike_unmanaged_device.py +Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml index 2962d6ff2..d8ce42f37 100644 --- a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml +++ b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml @@ -11,7 +11,7 @@ Tags: Severity: Medium Description: Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands. Runbook: Investigate the endpoint for signs of command line tool execution with Base64 encoded arguments. Review the executed command, decode the Base64 string, and analyze the original content. -Reference: N/A +Reference: https://www.crowdstrike.com/blog/blocking-fileless-script-based-attacks-using-falcon-script-control-feature/ DedupPeriodMinutes: 60 Tests: - diff --git a/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml b/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml index 5e646ea31..e54da19ef 100644 --- a/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml +++ b/rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml @@ -3,6 +3,7 @@ Description: Detects usage of tools commonly used for credential dumping. DisplayName: "Crowdstrike Credential Dumping Tool" Enabled: true Filename: crowdstrike_credential_dumping_tool.py +Reference: https://www.crowdstrike.com/blog/adversary-credential-theft/ Severity: Critical Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml b/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml index 8d43850c6..100896e8c 100644 --- a/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml +++ b/rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml @@ -3,6 +3,7 @@ Description: Detects the execution of known crytocurrency mining tools. DisplayName: "Crowdstrike Cryptomining Tools " Enabled: true Filename: crowdstrike_cryptomining_tools.py +Reference: https://www.crowdstrike.com/cybersecurity-101/cryptojacking/ Severity: Critical Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml index e80d0990a..c143fce11 100644 --- a/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml +++ b/rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml @@ -11,6 +11,7 @@ Tags: - Crowdstrike Description: Crowdstrike Falcon has detected malicious activity on a host. Runbook: Follow the Falcon console link and follow the IR process as needed. +Reference: https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/ DedupPeriodMinutes: 0 SummaryAttributes: - p_any_ip_addresses diff --git a/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml b/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml index 4e345cbf2..36c0f0286 100644 --- a/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml +++ b/rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml @@ -4,6 +4,7 @@ Description: Detects attempt to install a root certificate on MacOS Enabled: true Filename: crowdstrike_macos_add_trusted_cert.py RuleID: Crowdstrike.Macos.Add.Trusted.Cert +Reference: https://docs.panther.com/data-onboarding/supported-logs/crowdstrike#crowdstrike.processrollup2 Severity: Medium LogTypes: - Crowdstrike.FDREvent diff --git a/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml b/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml index 6745ad6ae..faaf622cd 100644 --- a/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml +++ b/rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml @@ -4,6 +4,7 @@ Description: Detects usage of osascript with administrator privileges Enabled: true Filename: crowdstrike_macos_osascript_administrator.py RuleID: Crowdstrike.Macos.Osascript.Administrator +Reference: https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ Severity: Medium LogTypes: - Crowdstrike.FDREvent diff --git a/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml b/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml index 68a815219..267e95034 100644 --- a/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml +++ b/rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml @@ -4,6 +4,7 @@ Description: Detects the usage of plutil to modify plist files. Plist files run Enabled: true Filename: crowdstrike_macos_plutil_usage.py RuleID: Crowdstrike.Macos.Plutil.Usage +Reference: https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/#:~:text=Terminal.savedState/.-,Windows.plist,-The%20file%20windows Severity: Medium LogTypes: - Crowdstrike.FDREvent diff --git a/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml b/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml index d92e769b9..5f9e985f3 100644 --- a/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml +++ b/rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml @@ -3,6 +3,7 @@ Description: Detects usage of common remote access tools. DisplayName: "Crowdstrike Remote Access Tool Execution" Enabled: true Filename: crowdstrike_remote_access_tool_execution.py +Reference: https://attack.mitre.org/techniques/T1219/ Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml b/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml index d4dcaec70..6f9b4d13c 100644 --- a/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml +++ b/rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml @@ -3,6 +3,7 @@ Description: Detects usage of tools commonly used to to establish reverse shells DisplayName: "Crowdstrike Reverse Shell Tool Executed" Enabled: true Filename: crowdstrike_reverse_shell_tool_executed.py +Reference: https://attack.mitre.org/techniques/T1059/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml b/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml index ea6352da9..e0cd79aa9 100644 --- a/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml +++ b/rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml @@ -3,6 +3,7 @@ Description: 'Detects when a user attempts to clear system logs. ' DisplayName: "Crowdstrike Systemlog Tampering" Enabled: true Filename: crowdstrike_systemlog_tampering.py +Reference: https://attack.mitre.org/techniques/T1070/001/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml b/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml index ee1e2a156..e555a531a 100644 --- a/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml +++ b/rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml @@ -3,6 +3,7 @@ Description: Detects unusual parent child process pairings. DisplayName: "Crowdstrike Unusual Parent Child Processes" Enabled: true Filename: crowdstrike_unusual_parent_child_processes.py +Reference: https://medium.com/falconforce/falconfriday-e4554e9e6665 Severity: Critical Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml b/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml index f8af85c74..a089c13b6 100644 --- a/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml +++ b/rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml @@ -4,6 +4,7 @@ DisplayName: "Crowdstrike WMI Query Detection" Enabled: true Filename: crowdstrike_wmi_query_detection.py Runbook: Investigate the endpoint for signs of WMI query execution. Review the executed query and the associated user account. +Reference: https://learn.microsoft.com/en-us/windows/win32/wmisdk/querying-wmi Severity: Low Tests: - ExpectedResult: false diff --git a/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml index 1fce0d0e4..a20ef30f2 100644 --- a/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml +++ b/rules/crowdstrike_rules/okta_login_from_crowdstrike_unmanaged_device.yml @@ -3,6 +3,7 @@ Description: Detects Okta Logins from IP addresses not found in CrowdStrike''s A DisplayName: "Okta Login From CrowdStrike Unmanaged Device" Enabled: false Filename: okta_login_from_crowdstrike_unmanaged_device.py +Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml b/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml index 61c521bcf..e8b1bc674 100644 --- a/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml +++ b/rules/crowdstrike_rules/onepassword_login_from_crowdstrike_unmanaged_device.yml @@ -3,6 +3,7 @@ Description: Detects 1Password Logins from IP addresses not found in CrowdStrike DisplayName: "1Password Login From CrowdStrike Unmanaged Device" Enabled: false Filename: onepassword_login_from_crowdstrike_unmanaged_device.py +Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf Severity: Medium Tests: - ExpectedResult: true